Hi @suneq
Updating the SSL certificate on your Cisco ACI APICs is a critical task, especially when you have VMM integration with vCenter. Generally, importing a new SSL certificate should not cause a significant outage, but there are a few considerations to keep in mind to ensure a smooth process:
Preparation:
- Ensure you have the new SSL certificate and the corresponding private key ready.
- Verify that the new certificate is correctly signed and matches the new DNS names of your APICs.
Backup:
- Take a backup of your current APIC configuration before making any changes. This will allow you to restore the previous state in case something goes wrong.
Importing the Certificate:
- You can import the new SSL certificate through the APIC GUI or CLI. The process typically involves uploading the certificate and private key, and then applying the changes.
Expected Behavior:
- When you import and apply a new SSL certificate, the APICs will restart their HTTPS services to apply the new certificate. This can cause a brief interruption in the APIC GUI and API access.
- The VMM integration with vCenter should not experience significant downtime, but there might be a brief moment where the APICs are not reachable via HTTPS. This should not affect the underlying network policies or the operation of the VMs.
Minimizing Impact:
- Perform the certificate update during a maintenance window or a period of low activity to minimize the impact on your environment.
- Notify relevant stakeholders about the planned update and the expected brief interruption in APIC access.
Verification:
- After importing the new certificate, verify that the APICs are accessible via the new DNS names and that the new certificate is being used.
- Check the VMM integration to ensure that it is functioning correctly and that there are no connectivity issues with vCenter.
Here is a high-level overview of the steps to import the new SSL certificate via the APIC GUI 5.2(5c):
The path to manage SSL certificates in Cisco APIC v5.2(5c) is:
Admin > AAA > Security > Public Key Management > Key Ring, Certificate Authorities
To upload an SSL certificate, you should use the Key Ring tab. Here’s a step-by-step guide to upload the SSL certificate:
Log in to the APIC GUI:
- Open your web browser and log in to the APIC GUI using your admin credentials.
Navigate to the Certificate Management Section:
- Go to Admin > AAA > Security > Public Key Management.
Select the Key Ring Tab:
- Click on the Key Ring tab. This is where you manage the SSL certificates for the APIC.
Import the New Certificate:
- In the Key Ring tab, you should see an option to Import or Add a new certificate.
- Click on the Import button.
Upload the New Certificate and Private Key:
- Follow the prompts to upload the new SSL certificate and the corresponding private key.
- Ensure that the certificate is in the correct format (usually PEM) and that the private key matches the certificate.
Apply the Changes:
- After uploading the certificate and key, apply the changes. The APIC will restart its HTTPS service to apply the new certificate.
Verify the New Certificate:
- Once the changes are applied, verify that the APIC is accessible via the new DNS names and that the new certificate is being used.
- You can check this by accessing the APIC GUI and inspecting the certificate details in your web browser.
By following these steps, you should be able to successfully upload and apply the new SSL certificate on your Cisco APIC v5.2(5c). This process should not cause significant service interruptions, but it is always a good practice to perform such updates during a maintenance window to minimize any potential impact.
